2

this is my first try to create VM on GCP Through terraform. here are the 2 files which i created.

provider.tf

provider "google" {
credentials = "${file("xxxxxx.json")}"
project = "project-1-200623"
region = "us-central1"
}

compute.tf

# Create a new instance
resource "google_compute_instance" "default" {
   name = "test"
   machine_type = "n1-standard-1"
   zone = "us-central1-a"
   boot_disk {
      initialize_params {
      image = "debian-cloud/debian-8"
   }
}
network_interface {
   network = "default"
   access_config {}
}

service_account {
   scopes = ["userinfo-email", "compute-ro", "storage-ro"]
   }
}

I am getting below error:

Error: Error applying plan:

1 error(s) occurred:

* google_compute_instance.default: 1 error(s) occurred:

* google_compute_instance.default: Error loading zone 'us-central1-a': googleapi: Error 403: Required 'compute.zones.get' permission for 'projects/project-1-200623/zones/us-central1-a', forbidden.

In

itially i thought some syntax issue with vm image but even after changing to multiple others same issue. service account has owner permissions on project so thats i can rule out. can some one please help me here..

Appreciate the help !

Improve this question
7
  • What IAM roles does your user have for this project? Commented Apr 14, 2018 at 18:27
  • editor role before but changed to project owner still same result. Commented Apr 14, 2018 at 19:19
  • In that case, are the necessary apis enabled for the project? You can do this with terraform terraform.io/docs/providers/google/r/… or experiment with the console to see first. Commented Apr 14, 2018 at 19:43
  • Hi Henry, thank you for input. compute, network and IAM few other apis are enabled and bunch others. Not sure if any specific req. any chance do you specific code which is working for you ? Commented Apr 14, 2018 at 21:40
  • Can you share the output from: gcloud services list and confirm the provider identity is the same as the user you say has owner permissions? Commented Apr 14, 2018 at 22:41

3 Answers 3

Reset to default
2

Terraform needs the organization admin permission

this is the steps to add this permission:

  1. Sign in to the Google Cloud Console as a Google Workspace or Cloud Identity super administrator and navigate to the IAM & Admin page: go to the admin page

2.Select the organization you want to edit:

a. Click the project drop-down list at the top of the page.

b. In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.

c. On the list that appears, click the organization to open its IAM Permissions page.

  1. Click Add, and then enter the email address of one or more users you want to set as organization administrators.

4.In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

The Organization admin can do the following:

  • Take full control of the organization. Separation of responsibilities between Google Workspace or Cloud Identity super administrator and Google Cloud administrator is established.

  • Delegate responsibility over critical functions by assigning the
    relevant IAM roles.

I recommend you create a different service account to keep your projects separate, you can check how to create your service account here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I’m with Paula. Double check you provider credentials. There’s nothing wrong with this code.

Improve this answer

Comments

0

faced same issue. I assigned following roles and it worked. Compute Admin, Compute Instance Admin, Service Account, Service Account Admin

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.